If all significant Internet traffic was adequately encrypted it wouldn't much matter if they could tap the packets, it would be too costly to decrypt it.
I agree generally with the intent your statement, but have two concerns:
1) The government still should not have the right to monitor packets; you don't want them use the 'well, you can always encrypt your traffic' argument to support general sniffing, and
2) Even if they can't decrypt the payload efficiently, they can still tell where the packets are going and presumably draw conclusions from that. Most likely they'd use such conclusions to get warrants for further access to your systems.
For example, you get spam or other traffic from some hijacked computer in Syria/Chad...these days that would be enough to establish possible terrorist links--especially if the payload was encrypted.
And don't get me started on its awful SSL implementation.
Hear, hear. Although MS does come out with a regular stream of patches for IE, it's quite obvious that the browser itself has some serious (system) design flaws, particularly with respect to its SSL implementation. I've been still wrangling with header tweaks and such to make IE behave in relatively normal situations (Pragma: no-cache header in IE on an SSL download page--sorry, no dice).
Why does this indicate a security problem? Because generally bad system design in an implementation leads directly to more flaws. And I can see the design problems with IE just from using it, so I can only guess there are a treasure trove of security bugs.
Compare this with Mozilla. I am certain Mozilla is loaded with security bugs. However, it seems to be more standards-capable than IE, and less prone to the sort of 'D-oh' design flaws (in the last two years, have not had ANY fiddling with headers, etc. to get Mozilla to work). As a result I guess that it's less likely to fail (and create a security hole) in normal operation.
NT took many cues from VMS, yes, but it is definitely not VMS at its core. It took a lot of great features of VMS (MS hired a primary architect of VMS) but that doesn't mean it -is actually- VMS.
Yes, I know at least two companies that used it rather frequently. In both cases, they would use it for batch-completion notifications and things like that.
That all said, I hate it and it seems like a prime candidate for abuse in various forms. Obviously.
I don't know if it's MS or the poster, but we should make sure to clean up the nomenclature for these various 'messenger' services. In XP, clicking on the service labeled 'Messenger' displays the help on the left which says: "...This service is not related to Windows Messenger." Although, the poster referred to this as the "Windows Messenger Service."
I want to shoot the Messenger, but it's hard to tell which one!
But not to worry, visiting the MS link in the post and following the directions cleared up the issue.
In addition to what you listed, I'd also say that MS is going to lose a lot of their real money maker: Office. As a small business owner I cannot justify using MS Office for most of the routine stuff people use it for. Many organizations I know of are now dumping Office for OpenOffice.
I think the spelling is OK (bated is a word, if that's what you meant) although 'about what you are blathering about' is a little grammatically redundant.
Now, I don't use a whole heck of a lot of OSS software...Linux and other OSS projects are looking more and more, well, childish by the day.
Maybe if you'd use it you'd realize how mature it is.:-) Don't let the talk fool you!
Parent--good post, many good points. One obvious alternative attack would be to have the worm look up the host of the update site from the infected client...instead of hard-coding the hostname or numbers, it determines the update host the same way the Windows Update client program does. (It must be easy to find this...a URL in the registry?) This way if MS changes the DNS records for WU, that would make it impossible for users to access Windows Update itself. So, you are right, as you say, "The real solution isn't to keep trying to dodge the bullet. The solution to become bulletproof." Well, close to bulletproof, at least.
Your note about customization of security features is important. For example, I tend to compile & configure Apache to a pretty minimal number of modules. You can configure IIS to run minimally, but obviously you can't recompile it to be certain the functions are unavailable! The less code that is available to exploit...the better.
I agree. In a RDBMS it's really easy to 'navigate' to any entity (entities are peers of each other--though they are tied via keys they are all just 'tables'), and it's especially easy to tie lots of of entities together in all kinds of different ways. Cross-entity sorting, aggregate functions, etc. are all pretty well optimized in any RDBMS environment, and my feeling is that in an OODBMS both of those would be quite a bit harder to implement/use.
Finally, there's something so wonderful about grids of data. All tables are grids. Run a query, you have a grid. Use it as a recordset in client code; make it a temp table; select it into an existing table. All very simple, and easy for even a non-DBA to understand. Getting back an object tree? Obviously would fit into Java objects well, but arguably less transportable.
If none of what I've said makes sense--sorry, I only post to Slashdot when my blood sugar is low...
I agree that it will be good to have a competitor to PDF. Regardless of what lots of posters seem to think, Adobe has been particularly bad about supporting the creation and display of PDFs. Distiller, which of course can turn print jobs into PDFs, has serious flaws (unstable, inconsistent results, etc.). So serious that when I had to automate PDF creation, I had to go with completely different tools (the best tool out there: FOP, the open-source Jakarta project from our friends at Apache!). FOP always created clean, perfect PDFs, where Distiller was very uneven in its output. Yeah, 3rd party tools are often better than the vendor's solutions, but in this case Adobe still has yet to build a decent API for creating PDFs.
Acrobat Reader is even worse. When it runs in 'embedded' mode in your browser, it acts significantly different from when it runs 'outside' the browser. In fact, if you load some PDFs in embedded mode it will fail to load properly, but if you simply tell it to load outside the browser it will load the file fine. These are known problems on the Acrobat/PDF 'support' boards. Some of the problems have more to do with IE, but if that is the case the default should not be to run Acrobat embedded. What is sad is that these and other problems simply languish out there for YEARS and Adobe doesn't really seem to care about these problems.
In other words, Adobe had very poor tools for developers wanting to build PDFs, and poor support for Acrobat Reader. Yeah, some third parties sprung up to fill the void...but I'd like a little competition to get Adobe out of their slumber. They have been sitting on Adobe and Photoshop for too long now.
Re:One more reason not to Blog
on
Blogger Hacked
·
· Score: 2
Never trusted it.
I'm right on board with you. They didn't seem to do much to secure the database, when I looked at it about over a year or so ago. I became more concerned when they basically became a one-person operation, and have avoided the service like Kryptonite.
Let this be a lesson--learn to trust your service providers before you jump on board with them. Also, use common sense and avoid services that store your FTP (and possibly ISP!) account info.
Interesting points, to which I have a few comments:
Every year, minority parties and candidates dredge up lost causes on nearly every controversial issue that they hope will improve the odds in upcoming elections.
True, that is most likely what this is. But what is wrong with that? Every candidate has a platform, and if that platform is sufficient to get them elected, then that means the platform carries some respect, both at the election and usually after. In other words, it becomes a valid issue for political discussion. This is significant because until now this has not been a valid issue.
I think we're much more likely to have our rights protected by the courts than by Congress.
I'd like to think that as well, but have you seen the Supreme Court's rulings lately? I'd rather have at least two legs of the checks-and-balances stool be in our favor.
I like two tier applications too... it seems that often people put in a middle tier just to have 3.
My feelings as well. Unless you're actually going to use the middle-tier as such, it's probably not worth it. Usually I try to use functions/stored procs as a pseudo-middle-tier. This helps with basic DB security (by removing direct access to tables) and also helps enumerate and optimize queries/actions, for ease of development and faster responses, respectively.
I used to get into battles over 2- vs. n-tier solutions (for simple apps) but now it seems that the battle has quieted, as people are more versed with the pros and cons of either approach.
I thought this whole "New Economy" was dead & buried.
A lot of people seem to equate EJB/J2EE with dot-bombs. I think that's unfortunate, because it can be a really useful framework for development. Certainly there are times when people have overapplied EJB (used it where they shouldn't have) and there are also organizations whose projects get mired when trying to work in such a framework (but they are usually mired because they're sprawling projects, not because of the framework).
I tend to use 'slimmer' solutions than a full-blown framework like EJB (yes, I like 2- and 2.5-tier applications).;-) But I would like to caution those who strike out at Java/EJB/J2EE as though it's just marketing speak. It ain't all a crock, and like anything that achieves some popularity it will attract idiots who will give others a bad impression.
At some point it might be cheaper to give up on computers and just pilot the Shuttle by hand.
That's true if you don't value human lives (I don't mean that to be inflamatory). IIRC only one person has actually flown the Shuttle through all of re-entry. It is actually way too dangerous to leave that sort of thing up to humans on a regular basis, for if the experienced pilot on board passed out, etc. there would be no recourse and the Shuttle and its crew would be lost. Better to have that process rely on multiple redundant computing processes.
Re:why they ever don't get it right about game des
on
Will Wright on Game Design
·
· Score: 5, Interesting
Good game design lets you slip in a role of an actor, not a designer, thats what all the arcade stuff was all about. [...] Am i really the only one with this opinion?
Lots of people share your opinion, that's OK--we all play differently.;-) For example, I enjoy the kinds of games he's talking about. There's something voyeuristic and interesting about playing a game -similar- to reality, but not quite. I was constantly making up games as a kid. Card games that played like strategy board games, acted-out games, computer games that vaguely operated like arcade games...and what was fun was that given a very loose rule set, you eventually created a good game, with rules of your own creation. Typical toy soldiers scenario--take a hundred green plastic men, an unkempt bedroom, and anything can happen! One group defects. There are spies. A dog suddenly kills off a dozen of your country's best. This is great fun (for me)!
Strategy games, and also games like the Sims, are a foggy mirror on reality, and although there are sometimes 'better' ways to play each game, the rules are not limited to those in the book/code. For example, say in Civ I have a really successful Swordsman, who has had numerous victories under his belt, but now is becoming outdated. Instead of upgrading/scrapping him, I will usually send him to either the capital city, or the city last conquered, and station him there for eternity as a reminder of their courage. This action -definitely- doesn't affect the gameplay much, but it means the world to my gaming experience. With something like the Sims, the experience (like life) is composed almost entirely of those kinds of experiences alone. 'Oh, that's the guy who peed in my kitchen...ew.' 'I tried hitting on her once...didn't work.' These are experiences, which for me are a little more memorable than, for example, 'how damn high my resolution was.' Note that I enjoy FPS' as well, and you can build the same sorts of experiences playing those...I just meant to speak to the notion that open-ended games are interesting, at least to some.
Heh, old WolfEdit. I used the mac version, redid the four-level computing center at college for Wolfenstein, and it worked really well. I still play that mod from time to time.
That is funny...it might be because they check both the browser -and- the OS. For example, perhaps they let in IE 4+ for all Windows systems, but didn't factor IE in for Macintosh...
I work at a bank, and we don't do a lot of testing for the Mac (not my choice, just the way it goes) so it's possible that, as in our case, the browser requirements just don't make as much sense for Mac because they haven't been thoroughly thought out.
Another difference might be if IE on his box didn't have 128-bit encryption but NS/Mozilla did.
What they'd do, upgrade from 20mhz Sun boxes to Pentium III 933's?
Agreed, their statement was very silly.
I could understand if they were comparing two different database approaches...I worked on a project where we took a process that took 2 weeks on an Access database (granted, the programming was at fault, not the database so much) and converted it to Oracle (could have been any reasonable database) and the process would complete under four hours (including manual report collation, etc.).
Yes, this kind of overstatement on the part of USA Today is frustrating...however I doubt (fear?) that IT managers would rely on that statement to switch their server OSes.
First, my post was actually about how defense-in-depth is useful, and how firewalls and local use of iptables play a part of that. If you have thousands of machines connecting to the internet, would you still not benefit from locking down unused ports? No? You want your thousands of machines to make ad-hoc connections directly to the internet? OK, no argument here--you are obviously in control of that situation.
As for 'most' corporate installations, both your DMZ servers and your internal servers should be locked down to only initiate connections specific to their purpose. Shame on those who allow more than that from their servers.
Tip: getting defensive and using Argumentum ad Hominem doesn't make a useful post.
t this point I think we need to make the assumption that the problem is a bit more common than viewing these compromises individually would suggest, and perhaps these individual events can even be linked together.
I agree...if you host code out on the internet, you should probably have a process on another machine that checks size/timestamps, or downloads the file and checks the signature of the file on the remote server on a routine basis. This way, if there is tampering, you know very soon thereafter.
Also, having checksums and signatures at sites separate from the downloads is a great idea (that helped identify the problem in this case).
This sort of a problem is a proof of defense-in-depth practices. Most people have pointed out the value of creating (and checking) gpg signatures, but in addition if you use iptables on the target machine (or a firewall elsewhere) your security is improved quite a bit. If you impose stringent rules, you reduce the possibility that trojaned code will be able to contact-the-mothership/scan/DoS. If you log such unusual activity, then it will be pretty obvious that something has gone wrong.
In particular, if the machine in question is a server (usually the reason you have SSH on a box), you should make every possible effort to remove outgoing traffic. There's usually no reason for a server to create outgoing connections to the internet, and if it needs to connect to any specific local resources (e.g. a database machine), limit the iptables/routers appropriately.
Really? I need it for the install of SSH, and ssh -V indicates the version of OpenSSL used. Maybe you mean that OpenSSH is not vulnerable due to the way it uses the libraries.
While I could imagine a worm moving through the internet fairly quickly, I can't imagine it doing too much serious harm. I mean, nothing could be much more serious that code red or Melissa or something.
I think I agree with your general points, but actually the worms could have been a lot worse. Had Code Red, for example, performed destructive actions on the target servers, it would have been an absolute disaster, and everyone would have remembered The Day Code Red Hit. As it was, most people disabled the exploited feature or applied hotfixes, and were back on their feet again.
Imagine if it had just deleted the boot.ini, and/or perhaps several megabytes of critical files (critical enough to fail on reboot but not to halt current operation)? It would continue to scan, and if the admin rebooted (that is the first line of defense, after all!) they would be hosed. Perhaps it would actually be worse to delete the 'non-standard' files, like user files...destroying web sites and forcing admins to go to back ups (Windows admins do keep backups, don't they?). Imagine 300,000 boxes being hosed within a short period!
Be fearless, build firewalls, and update your software, and ignore this moron
Slashdot Mirror
I agree generally with the intent your statement, but have two concerns:
1) The government still should not have the right to monitor packets; you don't want them use the 'well, you can always encrypt your traffic' argument to support general sniffing, and
2) Even if they can't decrypt the payload efficiently, they can still tell where the packets are going and presumably draw conclusions from that. Most likely they'd use such conclusions to get warrants for further access to your systems.
For example, you get spam or other traffic from some hijacked computer in Syria/Chad...these days that would be enough to establish possible terrorist links--especially if the payload was encrypted.
No monitoring whatsoever is appropriate.
Hear, hear. Although MS does come out with a regular stream of patches for IE, it's quite obvious that the browser itself has some serious (system) design flaws, particularly with respect to its SSL implementation. I've been still wrangling with header tweaks and such to make IE behave in relatively normal situations (Pragma: no-cache header in IE on an SSL download page--sorry, no dice).
Why does this indicate a security problem? Because generally bad system design in an implementation leads directly to more flaws. And I can see the design problems with IE just from using it, so I can only guess there are a treasure trove of security bugs.
Compare this with Mozilla. I am certain Mozilla is loaded with security bugs. However, it seems to be more standards-capable than IE, and less prone to the sort of 'D-oh' design flaws (in the last two years, have not had ANY fiddling with headers, etc. to get Mozilla to work). As a result I guess that it's less likely to fail (and create a security hole) in normal operation.
NT took many cues from VMS, yes, but it is definitely not VMS at its core. It took a lot of great features of VMS (MS hired a primary architect of VMS) but that doesn't mean it -is actually- VMS.
True, but having 'Schwarzenegger' on the ballot may trigger a buffer overrun...Sorry.
Yes, I know at least two companies that used it rather frequently. In both cases, they would use it for batch-completion notifications and things like that.
That all said, I hate it and it seems like a prime candidate for abuse in various forms. Obviously.
I want to shoot the Messenger, but it's hard to tell which one!
But not to worry, visiting the MS link in the post and following the directions cleared up the issue.
In addition to what you listed, I'd also say that MS is going to lose a lot of their real money maker: Office. As a small business owner I cannot justify using MS Office for most of the routine stuff people use it for. Many organizations I know of are now dumping Office for OpenOffice.
Now, I don't use a whole heck of a lot of OSS software...Linux and other OSS projects are looking more and more, well, childish by the day.
Maybe if you'd use it you'd realize how mature it is. :-) Don't let the talk fool you!
Parent--good post, many good points. One obvious alternative attack would be to have the worm look up the host of the update site from the infected client...instead of hard-coding the hostname or numbers, it determines the update host the same way the Windows Update client program does. (It must be easy to find this...a URL in the registry?) This way if MS changes the DNS records for WU, that would make it impossible for users to access Windows Update itself. So, you are right, as you say, "The real solution isn't to keep trying to dodge the bullet. The solution to become bulletproof." Well, close to bulletproof, at least.
Your note about customization of security features is important. For example, I tend to compile & configure Apache to a pretty minimal number of modules. You can configure IIS to run minimally, but obviously you can't recompile it to be certain the functions are unavailable! The less code that is available to exploit...the better.
Finally, there's something so wonderful about grids of data. All tables are grids. Run a query, you have a grid. Use it as a recordset in client code; make it a temp table; select it into an existing table. All very simple, and easy for even a non-DBA to understand. Getting back an object tree? Obviously would fit into Java objects well, but arguably less transportable.
If none of what I've said makes sense--sorry, I only post to Slashdot when my blood sugar is low...
Acrobat Reader is even worse. When it runs in 'embedded' mode in your browser, it acts significantly different from when it runs 'outside' the browser. In fact, if you load some PDFs in embedded mode it will fail to load properly, but if you simply tell it to load outside the browser it will load the file fine. These are known problems on the Acrobat/PDF 'support' boards. Some of the problems have more to do with IE, but if that is the case the default should not be to run Acrobat embedded. What is sad is that these and other problems simply languish out there for YEARS and Adobe doesn't really seem to care about these problems.
In other words, Adobe had very poor tools for developers wanting to build PDFs, and poor support for Acrobat Reader. Yeah, some third parties sprung up to fill the void...but I'd like a little competition to get Adobe out of their slumber. They have been sitting on Adobe and Photoshop for too long now.
I'm right on board with you. They didn't seem to do much to secure the database, when I looked at it about over a year or so ago. I became more concerned when they basically became a one-person operation, and have avoided the service like Kryptonite.
Let this be a lesson--learn to trust your service providers before you jump on board with them. Also, use common sense and avoid services that store your FTP (and possibly ISP!) account info.
Every year, minority parties and candidates dredge up lost causes on nearly every controversial issue that they hope will improve the odds in upcoming elections.
True, that is most likely what this is. But what is wrong with that? Every candidate has a platform, and if that platform is sufficient to get them elected, then that means the platform carries some respect, both at the election and usually after. In other words, it becomes a valid issue for political discussion. This is significant because until now this has not been a valid issue.
I think we're much more likely to have our rights protected by the courts than by Congress.
I'd like to think that as well, but have you seen the Supreme Court's rulings lately? I'd rather have at least two legs of the checks-and-balances stool be in our favor.
My feelings as well. Unless you're actually going to use the middle-tier as such, it's probably not worth it. Usually I try to use functions/stored procs as a pseudo-middle-tier. This helps with basic DB security (by removing direct access to tables) and also helps enumerate and optimize queries/actions, for ease of development and faster responses, respectively.
I used to get into battles over 2- vs. n-tier solutions (for simple apps) but now it seems that the battle has quieted, as people are more versed with the pros and cons of either approach.
A lot of people seem to equate EJB/J2EE with dot-bombs. I think that's unfortunate, because it can be a really useful framework for development. Certainly there are times when people have overapplied EJB (used it where they shouldn't have) and there are also organizations whose projects get mired when trying to work in such a framework (but they are usually mired because they're sprawling projects, not because of the framework).
I tend to use 'slimmer' solutions than a full-blown framework like EJB (yes, I like 2- and 2.5-tier applications). ;-) But I would like to caution those who strike out at Java/EJB/J2EE as though it's just marketing speak. It ain't all a crock, and like anything that achieves some popularity it will attract idiots who will give others a bad impression.
That's true if you don't value human lives (I don't mean that to be inflamatory). IIRC only one person has actually flown the Shuttle through all of re-entry. It is actually way too dangerous to leave that sort of thing up to humans on a regular basis, for if the experienced pilot on board passed out, etc. there would be no recourse and the Shuttle and its crew would be lost. Better to have that process rely on multiple redundant computing processes.
Lots of people share your opinion, that's OK--we all play differently. ;-) For example, I enjoy the kinds of games he's talking about. There's something voyeuristic and interesting about playing a game -similar- to reality, but not quite. I was constantly making up games as a kid. Card games that played like strategy board games, acted-out games, computer games that vaguely operated like arcade games...and what was fun was that given a very loose rule set, you eventually created a good game, with rules of your own creation. Typical toy soldiers scenario--take a hundred green plastic men, an unkempt bedroom, and anything can happen! One group defects. There are spies. A dog suddenly kills off a dozen of your country's best. This is great fun (for me)!
Strategy games, and also games like the Sims, are a foggy mirror on reality, and although there are sometimes 'better' ways to play each game, the rules are not limited to those in the book/code. For example, say in Civ I have a really successful Swordsman, who has had numerous victories under his belt, but now is becoming outdated. Instead of upgrading/scrapping him, I will usually send him to either the capital city, or the city last conquered, and station him there for eternity as a reminder of their courage. This action -definitely- doesn't affect the gameplay much, but it means the world to my gaming experience. With something like the Sims, the experience (like life) is composed almost entirely of those kinds of experiences alone. 'Oh, that's the guy who peed in my kitchen...ew.' 'I tried hitting on her once...didn't work.' These are experiences, which for me are a little more memorable than, for example, 'how damn high my resolution was.' Note that I enjoy FPS' as well, and you can build the same sorts of experiences playing those...I just meant to speak to the notion that open-ended games are interesting, at least to some.
Heh, old WolfEdit. I used the mac version, redid the four-level computing center at college for Wolfenstein, and it worked really well. I still play that mod from time to time.
I work at a bank, and we don't do a lot of testing for the Mac (not my choice, just the way it goes) so it's possible that, as in our case, the browser requirements just don't make as much sense for Mac because they haven't been thoroughly thought out.
Another difference might be if IE on his box didn't have 128-bit encryption but NS/Mozilla did.
Agreed, their statement was very silly.
I could understand if they were comparing two different database approaches...I worked on a project where we took a process that took 2 weeks on an Access database (granted, the programming was at fault, not the database so much) and converted it to Oracle (could have been any reasonable database) and the process would complete under four hours (including manual report collation, etc.).
Yes, this kind of overstatement on the part of USA Today is frustrating...however I doubt (fear?) that IT managers would rely on that statement to switch their server OSes.
As for 'most' corporate installations, both your DMZ servers and your internal servers should be locked down to only initiate connections specific to their purpose. Shame on those who allow more than that from their servers.
Tip: getting defensive and using Argumentum ad Hominem doesn't make a useful post.
I agree...if you host code out on the internet, you should probably have a process on another machine that checks size/timestamps, or downloads the file and checks the signature of the file on the remote server on a routine basis. This way, if there is tampering, you know very soon thereafter.
Also, having checksums and signatures at sites separate from the downloads is a great idea (that helped identify the problem in this case).
In particular, if the machine in question is a server (usually the reason you have SSH on a box), you should make every possible effort to remove outgoing traffic. There's usually no reason for a server to create outgoing connections to the internet, and if it needs to connect to any specific local resources (e.g. a database machine), limit the iptables/routers appropriately.
A little clarification might be useful.
I think I agree with your general points, but actually the worms could have been a lot worse. Had Code Red, for example, performed destructive actions on the target servers, it would have been an absolute disaster, and everyone would have remembered The Day Code Red Hit. As it was, most people disabled the exploited feature or applied hotfixes, and were back on their feet again.
Imagine if it had just deleted the boot.ini, and/or perhaps several megabytes of critical files (critical enough to fail on reboot but not to halt current operation)? It would continue to scan, and if the admin rebooted (that is the first line of defense, after all!) they would be hosed. Perhaps it would actually be worse to delete the 'non-standard' files, like user files...destroying web sites and forcing admins to go to back ups (Windows admins do keep backups, don't they?). Imagine 300,000 boxes being hosed within a short period!
Be fearless, build firewalls, and update your software, and ignore this moron
Amen!